<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/29/2013 11:44 AM, Bryan D. Payne
wrote:<br>
</div>
<blockquote
cite="mid:CAFpPvXBqk6EdD+i-W4siQw1GERY0axXnZxvZ4XsSc+MMwjv-Eg@mail.gmail.com"
type="cite">
<div dir="ltr">Adam,
<div><br>
</div>
<div>Can you provide a little more detail on what pieces of
OpenStack you are imagining would integrate with Certmonger?
I think some concrete examples of why this is needed would go
a long ways towards helping to spark some discussion here.
But you've piqued my interest and I'd like to hear more. I'd
certainly attend a session on this on Hong Kong, for what it's
worth.</div>
</div>
</blockquote>
<br>
Anything that requires an X509. This is: anything that does TLS:
HTTPD, Messaging, etc. In addition, Keystone should use it to
manage the signing certificates. If there are certifiates involved
in the crypto signing of block devices, those would be managed via
Certmonger as well. <br>
<br>
I'll see if I can set up an unconference session. THings are still
settling out on the Developers conference schedule.<br>
<br>
<blockquote
cite="mid:CAFpPvXBqk6EdD+i-W4siQw1GERY0axXnZxvZ4XsSc+MMwjv-Eg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Cheers,</div>
<div>-bryan</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Oct 28, 2013 at 10:04 AM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">PKI
requires infrastructure, more than the OpenStack project can
really dictate. What OpenStack needs is a strategy to
integrate in with existing PKI systems.<br>
<br>
Certmonger <a moz-do-not-send="true"
href="https://fedorahosted.org/certmonger/"
target="_blank">https://fedorahosted.org/certmonger/</a>
is a tool from the Fedora project for integrating with a
remote Certificate Authority. As such, it seems to fill the
gap in our strategy. It can:<br>
<br>
<br>
Perform all of the local tasks for certificate request
generation<br>
Monitor and request new certificates prior to expiration.<br>
Handle both NSS and OpenSSL local storage formats.<br>
<br>
Currently, Certmonger works against FreeIPA/Dogtag <a
moz-do-not-send="true"
href="http://pki.fedoraproject.org/wiki/PKI_Main_Page"
target="_blank">http://pki.fedoraproject.org/wiki/PKI_Main_Page</a>
and Certmaster <a moz-do-not-send="true"
href="https://fedorahosted.org/certmaster/"
target="_blank">https://fedorahosted.org/certmaster/</a>.<br>
<br>
I'd like to propose that we make Certmonger the focus for
our X509 management strategy. In order to do that, we need
to ensure that Certmonger can support a large enough array
of CA request formats.<br>
<br>
Beyond the ones listed above, what are people concerned with
supporting for CA software? THe Wikipedia list of Open
Source CA implementations <a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/Certificate_authority#Open_source_implementations"
target="_blank">https://en.wikipedia.org/wiki/Certificate_authority#Open_source_implementations</a>
is fairly short. What are the dominant APIs that we need to
support?<br>
<br>
Many people might be tempted to follow the advice of "Just
let puppet handle it." I'm not certain that this is the
right approach. Disregarding the shops that don't use
Puppet or a comparable other Configuration management tool,
it appears that Puppet performs "Master side" certificate
generation, and not following the best practice of keeping
the key in secure storage on the client. I'd be interested
in hearing more feedback on this. However, it seems to me
that Puppet and Certmonger should be able to work together,
with Certmonger managing the logic for generating
certificate requests and Puppet performing the marshalling:
or maybe Certmonger can just talk directly to the Puppet
CA.<br>
<br>
I am not certain that the Puppet CA is doing Revocations or
OCSP, either, one or the other required for a full X509
implementation.<br>
<br>
It looks like Chef is also getting into the CA business. <a
moz-do-not-send="true"
href="http://www.cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef"
target="_blank">http://www.cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef</a><br>
<br>
I've submitted a session for this under Devstack, as there
is no general purpose "Security" heading. <a
moz-do-not-send="true"
href="http://summit.openstack.org/cfp/details/363"
target="_blank">http://summit.openstack.org/cfp/details/363</a>
However, it might be too late to schedule it. I will try to
put together an unconference session to discuss this, in
conjunction with the Security team.<br>
<br>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org"
target="_blank">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>